Is this homework? The answer may relate to situations where the SQL database is open for aggregation of multiple entries, while selecting a single entry is forbidden. This way, one can collect averages, max values, min values, etc., and this way deduce information of single entries with some probability.
–
Henning KlevjerOct 28 '12 at 7:58

2 Answers
2

I might be mincing terms here, but technically no, a statistical database shouldn't be vulnerable to SQL injection, because statistical databases tend not to use SQL as its query language. They tend to use variants of the language like MDX or DMX. Then again, some do support SQL though so...

However, since they do accept input in the form of a language they certainly can be vulnerable to injection because its not really up to the database or its server to prevent injection. Its up to the application calling into the database to properly protect against injection.

There are varying degrees of damage involved here too. In most cases you can't insert data or delete data as these databases/cubes/models tend to be read only, however it could be possible to change the intended result set and get more information than expected. I would expect this to be possible in poorly developed reporting applications.